Forwarding port eth tun0 works for one NIC, bot not otheriptables NAT/Forwarding with external ADSL router;...
Adventure Game (text based) in C++
Recruiter wants very extensive technical details about all of my previous work
What's the meaning of a knight fighting a snail in medieval book illustrations?
Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?
Happy pi day, everyone!
What exactly is this small puffer fish doing and how did it manage to accomplish such a feat?
Did Ender ever learn that he killed Stilson and/or Bonzo?
How should I state my peer review experience in the CV?
What is the Japanese sound word for the clinking of money?
How could an airship be repaired midflight?
Are relativity and doppler effect related?
Math equation in non italic font
Is "upgrade" the right word to use in this context?
A diagram about partial derivatives of f(x,y)
et qui - how do you really understand that kind of phraseology?
Why does overlay work only on the first tcolorbox?
Equivalents to the present tense
Custom alignment for GeoMarkers
World War I as a war of liberals against authoritarians?
As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?
Do I need to be arrogant to get ahead?
How do you talk to someone whose loved one is dying?
How are passwords stolen from companies if they only store hashes?
Describing a chess game in a novel
Forwarding port eth tun0 works for one NIC, bot not other
iptables NAT/Forwarding with external ADSL router; PCs on the network can't access the internetAllowing SSH on a server with an active OpenVPN clientConnect AWS and Azure via OpenVPNsite to site openvpn with Merlin and DD-WRTOpenVPN Access Server: Remote Subnet Cannot Access Client's ResourcesHow to get OpenVPN Client (Mikrotik RouterOS) <-> OpenVPN server (Debian/Linux) setup to workUFW blocks permitted portsubuntu allow local ip address to connect to other local machine using sshopenvpn: can't manage to control client-to-client connections with iptablesLinux: Bridging two ethernet connections together to allow second host onto first network
0
In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.
I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):
- IP availability to world
- 172.31.39.1/20 (ping works, forwarding works)
- 172.31.39.237/20 (ping works, forwarding doesn't work)
I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.
telnetcan't connect to ports 80,500 from outside of NIC2, ens6's public IP.- ping from outside for both NICs/IPs works
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade outgoing traffic
-A POSTROUTING -o ens5 -j MASQUERADE
-A POSTROUTING -o ens6 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
# Allow return traffic
-A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Routing
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
Client config
to be short, let's assume:
iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I OUTPUT -j ACCEPT
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
asked yesterday
CrollCroll
3412
add a comment |
0
In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.
I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):
- IP availability to world
- 172.31.39.1/20 (ping works, forwarding works)
- 172.31.39.237/20 (ping works, forwarding doesn't work)
I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.
telnetcan't connect to ports 80,500 from outside of NIC2, ens6's public IP.- ping from outside for both NICs/IPs works
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade outgoing traffic
-A POSTROUTING -o ens5 -j MASQUERADE
-A POSTROUTING -o ens6 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
# Allow return traffic
-A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Routing
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
Client config
to be short, let's assume:
iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I OUTPUT -j ACCEPT
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
asked yesterday
CrollCroll
3412
add a comment |
0
0
0
In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.
I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):
- IP availability to world
- 172.31.39.1/20 (ping works, forwarding works)
- 172.31.39.237/20 (ping works, forwarding doesn't work)
I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.
telnetcan't connect to ports 80,500 from outside of NIC2, ens6's public IP.- ping from outside for both NICs/IPs works
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade outgoing traffic
-A POSTROUTING -o ens5 -j MASQUERADE
-A POSTROUTING -o ens6 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
# Allow return traffic
-A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Routing
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
Client config
to be short, let's assume:
iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I OUTPUT -j ACCEPT
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
asked yesterday
CrollCroll
3412
In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.
I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):
- IP availability to world
- 172.31.39.1/20 (ping works, forwarding works)
- 172.31.39.237/20 (ping works, forwarding doesn't work)
I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.
telnetcan't connect to ports 80,500 from outside of NIC2, ens6's public IP.- ping from outside for both NICs/IPs works
- from inside the server, i can
ping -I <dev> 8.8.8.8both withens5andens6
Interfaces
ip a
1: lo:
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
/etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5
/etc/netplan/51-ens6.yaml
network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000
Firewall
sysctl net.ipv4.ip_forward is set to 1.
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade outgoing traffic
-A POSTROUTING -o ens5 -j MASQUERADE
-A POSTROUTING -o ens6 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
# Allow return traffic
-A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)
Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5
Routing
ip rule list
0: from all lookup local
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5
ip route show table all
default via 172.31.32.1 dev ens6 table 1000 proto static
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
Client config
to be short, let's assume:
iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I OUTPUT -j ACCEPT
What am i missing?
ubuntu openvpn ufw ubuntu-18.04 netplan
ubuntu openvpn ufw ubuntu-18.04 netplan
asked yesterday
CrollCroll
3412
asked yesterday
CrollCroll
3412
edited 4 mins ago
Croll
asked yesterday
CrollCroll
3412
asked yesterday
CrollCroll
3412
asked yesterday
CrollCroll
3412
3412
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958428%2fforwarding-port-eth-tun0-works-for-one-nic-bot-not-other%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958428%2fforwarding-port-eth-tun0-works-for-one-nic-bot-not-other%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
